Command to set modify Advanced Security Settings (Audit Settings for folders) on windows 2008

Hello,
We have requirement to modify  Advanced Security Settings (Audit Settings for folders) on windows 2008. I am looking for a command which does this job.
I know, using group policies I can do this; in fact I had done this using group policies. However, I need to do this on number of servers which are not in domain. There are around 15 folders on which I need to enable Auditing; manual editing folder advanced
permissions is a cumbersome job. Hence, I am looking for a command line options.
I need to know how command can be utilised to enable Audit option on a folder. Please share a command which can do this; once I get the command, I will create a batch file for other necessary folders. (BTW, this is not a scripting question, I just need to
know the command hence, please do not re-direct me to scripting forum)
Manually through GUI, I am setting following.. snaps are given below
Thanks !

You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Thanks but I guess, auditpol ca be used only to manipulate system audit policies. how do I specify a folder and user in auditpol ? I could not find or understand how folder can be included with auditpol command line options.
Thanks !

Similar Messages

  • I need help setting Win7 Advanced attributes for the USB drive connected to my EA4500 router

    I can drill down to the Permission Entry for [foldername] window for a folder on the USB drive. There I learn that user group Everyone does not have the Full Control permission box checked. When I check the box and then click Apply, I get an Error Applying Security window. If I click Continue there, I get a Windows Security window that says "Unable to save permission changes on [foldername]. Access is denied." with no way out but an OK button.
    I have Administrative authority in Win7, but maybe I need to know some Unix voodoo to come to terms with my router-mounted drive. I put the drive on the router to make always available, and I'd like to get it to work. For example, I can't turn the archive bit off for any file or folder on that drive when it's mounted on the router. Not with ATTRIB -A and not with XCOPY /M.
    Just to stuff it in my face, XCOPY /M returns a two-line error message for every sub-folder that exists in the target folder:
    Access denied
    Unable to create directory - foldername
    Help! And thanks in advance.
    :+)
    Solved!
    Go to Solution.

    Bill Dennes,
    (Solutions/Work-Arounds below this paragraph, but sets up some useful information.)
    As for the Security tab, I'm unsure of exactly why it doesn't appear on the tab itself for folders; however, clicking "Advanced -> Change Permissions -> Edit" will display the permissions; although, this doesn't appear to be a part of the problem in a sense. Additionally, “Everyone” always only has read & execute and is also not a part of the issue. To go further with this, the only users that have delete permission are “0” and “root” and since we can delete, we “should” be logged in as one of them and as such have “Full Control.”
    As for the drive type, I'm unsure of why it "changes" it from FAT32 to NTFS (probably something to do with how it handles permissions); however, this is also not a part of the issue.
    I have a flash drive formatted to FAT32, albeit only a 4GB and on an EA6500 with secure sharing enabled, that it does these both to and "xcopy testfolder Y:\ /e /m" works on it when all files and folders have the A attribute; however, disabling secure sharing makes it fail.
    I’ve looked further into this and there are three ways I know of, as of right now, to make copying files with the bat file work for you:
    The first way is to enable secure sharing and map the drives using it, once that is done you won’t need to enter the password again and your script will work as you currently have it coded. Given you have no need for the secure sharing, but it’s a simple solution. This is also the only way to be able to modify any attributes, although the only ones I know of that it will accept are R and A.
    The second way is to instead use ROBOCOPY with the options /e, /m, and /copy:dt.
    For example: "robocopy testfolder Y:\ /e /m /copy:dt"
    /e = Copy subdirectories, including empty ones. (or use /S which will not copy empty folders)
    /m = Copy only files with the Archive attribute and reset it.
    /copy:dt = Copy data and timestamps, does not copy attributes, security, owner info, or auditing info.
    The only important option to use is /copy:dt, the others can be replaced with whatever you need. Note that things like Song Author will still get copied as they are a part of the data section. I don’t believe XCOPY supports doing this, and in either case robocopy is a better solution that comes with Windows Vista and up, and can be gotten for those below Vista.
    The third way is to add a section to the script to remove attributes from all folders before using xcopy to copy to the NAS, or modify the section that is causing the folders to have the A attribute as xcopy will gladly still copy them with /E or /S enabled.
    The issue seems to be that when secure sharing is off, the server refuses attribute changing of folders, which is what is causing XCOPY to fail, as I suspect it attempts to change the attributes on the folders. Similarly, using robocopy without /copy:dt will also fail but gives you “Error 5 … changing file attributes [folder/path] Access is denied”. This is why I suspect that when XCOPY says “unable to create directory” that it is actually trying to change the attributes of the directory. Furthermore, it seems that the reason this works while secure sharing is on is that while it is on, the server pretends to accept the attributes but in reality ignores all attributes besides R. The server then adds the A attribute to all files put onto it, which you can only modify when secure sharing is enabled for some reason. The exception to this is that in either case, any file with the “H” (hidden) attribute, will not be copied, even if explicitly told to copy it. (This is true for both robocopy and xcopy; you also cannot manually add it afterwards.)
    Is there an issue with the files on the NAS having the A attribute? If so the only way I currently know of to get rid of it is to enable secure sharing and have the script remove the attribute after copying. For example, when you look at the permissions, the user "0" and “root” have full control as I've previously stated. You can tell Windows to specifically use one of them when mapping the drive, which in turn should give you full control; however, the server still refuses modifying attributes without secure sharing on for some strange unknown reason. Although, I am no "UNIX gearhead," so there may in fact be another way that I do not know of. The only time they are not listed as “Full Control” on my end is when a file was previously marked Read-Only, in which case they all share the same limited control. When I said in the beginning that the permissions are not a part of the problem in a sense, it’s more of that for the general case of what you need to do, they aren’t the problem as long as you don't need the R attribute and having the A isn't an issue, as it seems to be more of the server is refusing attributes even though we should have permission; however, they do appear to be a bit weird and are possibly displaying incorrect when secure sharing is disabled.
    I'd like to apologize in advance for any unclear, weirdly stated, or just plain odd things said in this post as I was pulled away to do a bunch of things and ended up editing, adding things, and finishing it late into the night and hope that one of the above is an acceptable resolution to your issue.

  • Advanced Security Application

    I've started testing the Cisco OnPlus Advanced Security Application.  It states that it is free for a limited time.  However I don't see how long that "limited time" is and I also don't see any information about costs, skus, etc. for maintaining the subscription.  Any assistance would be appreciated.  Thank you.                  

    As an update to this, I spoke with some of my contacts at Cisco.  From what I understand, there aren't currently any plans to make the Cisco OnPlus Advanced Security Application a "pay for" service.  It might be one day but at this time it should continue to work without expiration.

  • Has anyone tried Advanced Security Manager for System 9.0

    Hi All,
    I am having issues with Advanced Security Manager in system 9.0
    I am getting an error "essapin.dll" cannot be found.
    has anyone faced similar issue, if yes, how did you get around with that.
    thanks and regards.

    I got the problem solved.
    essapin.dll was with version 6.5 and from essapin.dll was replaced by essapinu.dll. Advanced Security Manager was searching for essapin.dll.
    I installed client version of 6.5, which got me essapin.dll.
    I am able to export all my filters with ASM now :-)

  • 8iR2 and Advanced Security Option?

    Can anyone confirm if 8iR2 (I'm downlaoding my copy now) fully implements the Advanced Security Option ... for sql*net, JDBC, and IIOP connections?
    I ask this 'coz in 8i (up to 8.1.5.0.2), even though the Advanced Security Option is 'enabled', I never got them to work and it complains of "uninstalled (or somethine like that) algorithms".

    John,
    The advance Security Option on the current release only supports the SSL protocol. The version that you have downloaded supports only "export" encryption.
    We are planning to release a full update of the ASO option to add things like kerberos authentication and others by mid June. We also plan to add the "strong encryption" capaility.
    Sorry for the delay.
    Regards,
    Josue Amaro
    Product Line Manager
    Linux Products
    Oracle Corporation

  • Internet Explorer Security Support on Windows 7 & WIndows 2008 Std Server

    I have an app page (tomcat https) that i was able to open from a windows 7 professional remotely but could not open from a windows 2008 std server.  Is there a security settings I need to disable from windows 2008 std server?  The firewall is disabled. 
    Both Win 7 & 2008 is on the same network.
    Thanks in advance.
    DT

    Hi,
    I need the error information from the Internet Explorer, if the error code is 404 that should be the webpage is not correctly developed, error code 500 means the tomcat server is not available, you should check the tomcat server, or another situation is
    the port number is in use by another application, normally the default port number is 8080, you can  try another port number in the comcat configuration file  to see the result.
    Regards
    Wade Liu
    TechNet Community Support

  • Set columns in the "Open file..." Finder window

    Hi,
    When selecting "Open File..." from the File menu in all my apps, the Finder opens a window with the columns:
    Name - Date Added - Kind - Size
    I just want to change the column Date Added to Date Modified. I have done it for my Finder windows in Finder options, but i does not work in the "Open File..." finder window...  and it's pretty annoying for me!
    Thanks for any help.

    Try going to your Home folder, bring up the Finder's view options, select Date Modified and click on Use As Defaults button.  All of of my Open windows display the Modified Date as the only date.

  • Dism command in windows 2008 SP2

    Ho do I run the command
    dism /online /cleanup-image /spsuperseded to clean up winsxs folder in windows 2008 SP2.I got message /online command works only in windows 2008 r2,and in windows 2008 sp2 it needs to be run in offline,can any one give idea how i run this command
    in windows 2008 sp2

    Hello,
    Firstly, please keep in mind that WinSXS folder is an important directory that keeps the shadow copy of the important system files, which gets changed during any installation of Patches or Updates or software. With the use of WinSXS Folder all system files
    can be reverted back to the stage where it was before installation of Patch/Update. Hence, it’s not wise to wipe the WinSxS folder.
    Secondly, just like the warning message suggested, DISM can only be used in Windows 7 and Windows Server 2008 R2 (Not in Windows Vista or in Windows Server 2008). For Windows Server 2008 SP2 or Windows Vista SP2, there is tool called Windows Component Clean
    Tool (COMPCLN.EXE).
    Refer to: Windows Component Clean Tool
    http://technet.microsoft.com/en-us/library/dd351467(v=WS.10).aspx#BKMK_COMPCLN
    •Windows Vista or Windows Server 2008 Service Pack 1:  VSP1CLN.EXE
    •Windows Vista or Windows Server 2008 Service Pack 2:  Compcln.exe
    •Windows 7 or Windows Server 2008 R2 Service Pack 1:  DISM /online /Cleanup-Image /SpSuperseded or Disk Cleanup Wizard (cleanmgr.exe)
    Thanks
    Zhang

  • Setting "Advanced security settings" on an OU using Powershell

    Hello,
    I have been tasked to create an OU with the simular permissions as another. On the current OU, the admin1 acount has special permissions (set within the Advanced Security Settings). For the new OU, they want a new admin2 account to have the same permissions
    on the OU as admin1 has on the current OU.
    I was able to extract the OU permissions using the following Powershell script:
    Get-QADObject 'OU=Temp,OU=,OU=Group,DC=Department,DC=Company,DC=com' -SecurityMask Dacl -sizelimit 0 |
    Get-QADPermission -Inherited -SchemaDefault |
    Select-Object account, rights, source, appliesto |
    Sort-Object account |
    Export-Csv c:\temp\report.csv -NoTypeInformation
    However, Powershell script did not provide the "Advanced Security Settings". Therefore, I am looking for a couple Powershell commands that:
    1. Copies the permission entries of the Advanced Security Settings Properties on an OU
    or
    2. Sets the permission entries of the Advanced Security Settings Properties on an OU
    Any help would be greatly appreciated.
    Mxer4life

    Hi,
    Please try with the following code to copy the atestuser1's ACL on TempOU1 and assign atestuser2 on TempOU2. Please be advised to test in your lab/test environment first. I tested only once. :)
    $ou1 = [adsi]"LDAP://OU=TempOU1,dc=adatum,dc=lab"
    $user1 = 'adatum\atestuser1'
    $ou2 = [adsi]"LDAP://OU=TempOU2,dc=adatum,dc=lab"
    $user2 = 'adatum\atestuser2'
    $acl1 = $ou1.psbase.ObjectSecurity.Access | ? {$_.IdentityReference -eq $user1}
    Write-host ($acl1 | out-string)
    $acl2 = $acl1 | % { New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ([System.Security.Principal.NTAccount]$user2), $_.ActiveDirectoryRights, $_.AccessControlType, $_.ObjectType, $_.InheritanceType, $_.InheritedObjectType }
    Write-host ($acl2 | out-string)
    $acl2 | % { $ou2.psbase.ObjectSecurity.AddAccessRule($_) }
    $ou2.psbase.CommitChanges()
    Write-host "After update with $user2"
    Write-host ($ou2.psbase.ObjectSecurity.Access | ? {$_.IdentityReference -eq $user2} | out-string)
    rgds,
    AZ

  • Error at RSOP while trying to set Audit settings via GPO

    Hello,
    i've configured Audit Policy via GPO and when i run RSOP on the server 2008 R2 i get X with the error "the policy engine did not attempt to configure the setting For more
    information, see %windir%\security\logs\winlogon.log on the target machine.
    Please help???

    Hi,
    This problem may occur if the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting is enabled. To resolve this issue, use one of the following methods, as appropriate for your situation.
    Method 1: Disable the policy setting by using Group Policy Object Editor
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
    Method 2: Disable the policy setting by using Registry Editor
    Note: Please backup the registry key before modify.
    1.Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
    2.Right-click SCENoApplyLegacyAuditPolicy, and then click Modify.
    3.Type 0 in the Value data box, and then click OK.
    Restart the computer after you make the change.
    For more information, please refer to:
    Security auditing settings are not applied to Windows Vista-based and Window Server 2008-based computers when you deploy a domain-based policy
    http://support.microsoft.com/kb/921468/en-us
    RSOP: the policy engine did not attempt to configure the setting
    http://social.technet.microsoft.com/Forums/en-AU/winserverGP/thread/fde42cfc-bb74-4e11-8b60-c1a3cb5d80ed
    If the problem still continues, please check the %windir%\security\logs\winlogon.log and reply the information in this log.
    Regards,
    Bruce

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • In which table can I find security audit settings from SM19?

    Hello everybody,
    I'd like to give certain users access to the security audit settings that we defined in SM19. They are supposed to be able to read them but not change anything. I've experimented a bit with SM19 authorizations and figured out that a read-only access to SM19 is possible if I deactivate S_C_FUNCT. The problem is that the aforementioned users already have complete access to S_C_FUNCT and are supposed to keep it. The also have AUDD and AUDA in S_ADMI_FCD. Ergo: If I just add the S_TCODE for SM19 they'd be able to change security audit settings and I don't want to allow that.
    Does anybody know the table where SM19 saves its settings? Maybe I could grant read-only access to that table via SM30 or SE16...
    Looking forward to your answers!
    Kind regards
    Mario

    Hi Mario,
    Restrict  access for table RSAUPROF , It should do!!!
    Regards

  • Setting IIS W3C Extended Log File settings via command line, registry or configuration file

    I am currently in need of a way to set IIS W3C Extended Log File settings via command line, registry or configuration file.  More specifically the 'Bytes Sent (sc-bytes)' and 'Bytes Received (cs-bytes)' settings that are not enabled by default. 
    If anyone knows where I can locate these setting (outside of the GUI) for all IIS versions that would be greatly appreciated.

    I believe I have found a valid solution. You must have the WebAdministration module loaded.  I hope this helps someone.
    Use the following syntax to view current W3C fields:
    Get-WebConfiguration -filter system.applicationhost/sites/sitedefaults/logfile | select-object -expandProperty logExtFileFlags
    Use the following syntax to set W3C fields:
    Set-WebConfigurationProperty -Filter System.Applicationhost/Sites/SiteDefaults/logfile -Name LogExtFileFlags -Value "Date,Time,ClientIP,UserName,SiteName,ComputerName,ServerIP,Method,UriStem,UriQuery,HttpStatus,Win32Status,BytesSent,BytesRecv,TimeTaken,ServerPort,UserAgent,Cookie,Referer,ProtocolVersion,Host,HttpSubStatus"}

  • Does Audit Vault require Database Vault, Advanced Security or OLS?

    I wish to install Audit Vault. Is it mandatory to have Database Vault or Advanced Security or even Oracle Label Security if I don't care about the functionality of those products. I only wish to take advantage if the Audit Vault capabilities. Thanks in advance.

    Thank you for the reply. So I don't need Advanced Security and OLS but do need Database Vault. Since Database Vault is bundled in the Audit Vault installation software, can you tell me if that means the license fee payable for Database Vault is already included in the license fee I will pay for Audit Vault? Thanks again.

  • How to modify the setting in the security(Enhanced) by SDK

    Hi all,
    Is that possible that modify the setting in the security(Enhanced) by SDK  such as 'add Priviledged locations' ? how to ?
    Or is there any way to modify the setting in the security(Enhanced) by other way instead of in acrobat?
    Appreciate your any help!

    You can convert your MSG file(s) to EML format, edit Date: header in EML file with any plain text editor (like Notepad) and then convert it back to MSG.
    You can use free
    Convert Outlook MSG to EML Files and
    Convert EML Files to Outlook MSG utilities to perform the conversion.
    Alexey Kuznetsov,
    Relief Software
    More than 100 free add-ins for Outlook

Maybe you are looking for